Teaching a Vendor to Phish: How to Help Your Vendors Remediate Cyber Risks

Identifying the cybersecurity gaps in your vendor ecosystem is only one part of solving for risk. Risk management and reduction can only be achieved when third-party risk management programs make concrete investments to support their vendors in making timely and cost-effective improvements in their cybersecurity program.

Here at CORL, we are committed to more than risk measurement. We foster excellence and accountability on both sides of the vendor contract by actively championing and managing proactive remediation and risk maintenance.

While our approach is inherently partner agnostic, we provide vendors best-in-class risk reduction services through our sister company, Meditology Services. As a premier consulting services partner that is 100% focused on the healthcare space, Meditology delivers a full range of capabilities for compliance and certification to actively address the gaps identified by CORL and help business associates elevate their cybersecurity posture, best positioning their organizations to service the cyber-sensitive healthcare space.

We have asked the team at Meditology to provide us with a rundown of the most commonly requested services that result in the greatest risk reduction for vendors and their customers. We also matched that guidance up against CORL’s most frequently requested remediation areas for vendors that we see across the thousands of assessments we conduct on behalf of our customers.

Cyber remediation services that have the greatest impact on vendor risk reduction:

Incident Response

When a cyberattack is underway against a healthcare vendor, it becomes a high-priority security incident for the vendor as well as the vendor’s customer base. It is imperative that vendors maintain mature Incident Response Plans (IRPs) that are tested routinely over time.

Vendor security teams must be prepared for common threat vectors including ransomware and have specific playbooks and well-documented roles and responsibilities.

Some actions you can take to support your vendors’ incident response program include:

  • Invite your vendors to participate in incident response tabletop testing exercises and join some of their sessions as well
  • Be transparent with your own incident response security policies and procedures and be willing to share templates and examples with your vendors
  • Advise vendors of leading practices including new incident response standards and practices (e.g. the new healthcare incident response checklist from HSCC)
Penetration Testing

You don’t know what you don’t know. Healthcare entities should encourage and require routine technical penetration testing for vendor networks to help drive visibility into network-facing vulnerabilities.

Penetration tests also provide a means of validating the maintenance and improvement of vendor security programs over time. The vendor should be able to demonstrate a reduction in the volume and criticality of findings upon each subsequent penetration test.

Some actions you can take to support your vendors’ penetration testing program include:

  • Educate vendors on the importance of routine penetration testing and its prominent role in risk reduction and cyber risk management
  • Introduce vendors to trusted penetration testing firms that have experience in the healthcare industry
  • Connect your internal red team and technical security resources with the vendor’s security team; offer knowledge sharing opportunities
  • Share threat intelligence information and emerging security trends
  • Advise the vendor on products and services that can be engaged to resolve critical- and high-risk penetration test findings
SOC 2 & HITRUST Certifications

Cybersecurity certifications like SOC 2 and HITRUST are one of the most efficient and effective ways of driving healthcare organizations into rapid compliance with industry standard practices.

SOC 2 and HITRUST certifications help to educate a wide variety of stakeholders on specific cybersecurity controls and implementation requirements. The clear and prescriptive nature of the control requirements pushes IT and security resources to align with standards and also actively engages other parts of the business like HR, physical security, and executive leadership in the cybersecurity mission.

Some actions you can take to support your vendors’ adoption of cybersecurity certification(s) include:

  • Educate vendors on the value of investing in a cybersecurity certification like SOC 2 and HITRUST
  • Explain the differences between certifications and counsel the vendor on pros and cons of each (if known)
  • Share your own approaches to addresses specific security controls that are required for certification including tools and processes
  • Introduce vendors to trusted HITRUST and SOC 2 certification firms like Meditology that have a proven track record in the healthcare industry
HIPAA & OCR Compliance

Healthcare organizations and their vendors are bound together in the shared regulatory mandates for HIPAA Covered Entities (CEs) and Business Associates (BAs).

While the requirements of the HIPAA Security Rule vary somewhat between CEs and BAs, the core foundation of requirements a common for all including administrative, physical, and technical requirements. Noncompliance with the HIPAA Security Rule is also governed by the same authority in the Office for Civil Rights (OCR).

One of the most critical HIPAA Security Rule provisions is the requirement to conduct a Security Risk Analysis. Vendors servicing healthcare must conduct routine risk analysis initiatives (e.g. annually) in alignment with security control standards like HITRUST and NIST. You can learn more about this requirement in Meditology’s Healthcare Security Risk Assessment & HIPAA Security Risk Analysis FAQ publication.

Some actions you can take to support your vendors’ HIPAA compliance include:

  • Educate vendors on HIPAA Security Rule requirements and OCR audit expectations
  • Advise the vendor of industry trade groups, forums, and conferences that specialize in HIPAA compliance and cybersecurity
  • Share policies and procedures for HIPAA compliance with vendors to help them craft or update their own policies
  • Introduce vendors to trusted HIPAA security and privacy firms that have a proven track record in the healthcare industry
Other Support

This list is by no means the only way that you can help vendors with their security remediation efforts, but it serves as a useful starting point.

Other ways to support vendors with their security remediation efforts include:

  • Educate vendors on ransomware risks and related threat vectors, incident response playbooks, and technical protection mechanisms
  • Provide cloud security subject matter expertise, guidance and resources. Introduce your vendors to trusted cloud security service providers with proven track records in healthcare
  • Where applicable, educate vendors on PCI-DSS credit card protection requirements including compliance provisions, vulnerability scanning best practices, and other remediation support

Contact our team here at CORL or our sister company, Meditology Services, to learn more about our services and technology dedicated to improving cybersecurity and compliance programs for healthcare entities and their vendors.

Most Recent Posts
Change Healthcare Cyber Attack: Implications for Third-Party Incident Response in Healthcare Cybersecurity Read More
Do You Understand Your Vendors' SOC 2 Reports? Read More
The Unintended Risks of Third-Party Cybersecurity Questionnaires  Read More